Secure smart card access to pre-paid metering funds in meter

ABSTRACT

The system has a postal security device that contains stored postage value, which causes the nonsecure printer to print onto a mail piece. In addition, the postal security device is attached to a secure card interface, which receives a secure card. The postal security device is connected to the TMS host by a data link. The TMS host is connected to the postal authority by a data link.

This application is a 371 of PCT/US97/06703 filed Apr. 23, 1997 whichclaims benefit of provisional No. 60/016,083 filed Apr. 23, 1996.

TECHNICAL FIELD

The invention relates generally to postage meters (franking machines) inconnection with secure chip cards (e.g. smart cards) containing encodedinformation indicative of stored value, and relates more particularly tomaking stored value in a postage meter available to the holder of a cardcontaining such encoded information.

BACKGROUND ART

Postage machines are well known and in common use. A classic postagemeter is composed of a memory representing stored postage value, and aprinting mechanism for printing postage indicia on mail pieces, all in asecure housing. It has also been proposed to use what is termed a“postal security device” or PSD, connected via a nonsecurecommunications channel with a nonsecure printer, as a substitute for aclassic postage meter. The PSD has a secure housing, and encryptedinformation is communicated from the PSD to the printer for printing aspart of the postage indicia. It has also been proposed to use a PSDconnected via nonsecure communications channels such as local-areanetworks, to a plurality of printers for printing of such indicia.

With any of these arrangements the postage meter or PSD (referred tocollectively herein as postage metering devices) contains accountingregisters. The accounting registers may be pure mechanical registers ina pure mechanical postage meter, in which the postage value is stored byphysical positions of gears and shafts. The registers may be nonvolatilesemiconductor memories in the case of an electronic postage meter or aPSD. In any of these arrangements, the practical situation is that thereis stored value in the metering device, and that stored value can be putto use only by the printing of postage value on mail pieces, or in theexteme case by taking the metering device out of service and requestinga refund from the postal authority.

DISCLOSURE OF INVENTION

In accordance with the invention, a customer's prepaid postage meteringfunds are made available to the customer's secure stored-value chip(e.g. SMART) card in addition to being available through a postage meterfor printing of postage. Cryptographic exchanges take place between themetering device and the stored-value card to effect a transfer of storedvalue.

BRIEF DESCRIPTION OF DRAWING

The invention will be described with respect to a drawing in severalfigures, of which:

FIG. 1 is a functional block diagram of a system in accordance with theinvention in which a postal security device is employed;

FIG. 2 is a functional block diagram of a prior art system in which astored-value card is used to transfer funds to a merchant;

FIG. 3 is a functional block diagram of a prior art system in which astored-value card receives value from a bank;

FIG. 4 is a functional block diagram of a system in accordance with theinvention in which a postage meter is employed;

FIG. 5 is a flow diagram showing the passage of money and/or storedvalue among devices;

FIG. 6 is a functional block diagram of a typical postage securitydevice of a type used in connection with the invention;

FIG. 7 is a functional block diagram of a typical postage meter of atype used in connection with the invention; and

FIG. 8 is a flowchart showing a typical sequence of events in thetransfer of stored value from a postage metering device to astored-value card.

MODES FOR CARRYING OUT INVENTION

Turning first to FIG. 1, what is shown is a functional block diagram ofa system in accordance with the invention in which a postal securitydevice 50 is employed. The PSD 50 contains stored postage value. Whenused for the printing of postage indicia, the PSD 50 providesinformation via nonsecure channel 52 to a nonsecure printer 51, and theinformation makes possible the printing of a postage indicium on themail piece 91. Eventually the stored value in the PSD 50 is exhaustedand no more postage indicia may be printed, due to the programming ofthe PSD 50. At that time, if not before, it is necessary to “refill” thePSD 50 by means of a telemeter setting (TMS) session. In a TMS session,a nonsecure data link 57 is established between the PSD 50 and a TMShost 58, operated by the manufacturer of the PSD 50 or an appropriatethird party. The data link 57 may be a modem-to-modem telephoneconnection, or an ISDN connection, or a TCP/IP connection, for example.Prior to the TMS session, the user of the PSD 50 will have arranged tohave funds on deposit with the manufacturer or with the postal authority59. In the TMS session, encrypted data are exchanged-so that postagevalue is transferred from the TMS host 58 to the PSD 50. In practicalterms, the funds on deposit with the manufacturer or postal authorityare decreased, and the stored value in the PSD is increased. Telemetersetting (TMS) may be carried-out as set forth in EPO pub. no. EP 442761,or as set forth in PCT pub. no. WO 86-05611, each of which isincorporated herein by reference.

As will be discussed in more detail below, in the system in accordancewith the invention, a smart card interface, PC card interface, or thelike 53 is connected via a nonsecure communications channel 56 with thePSD 50. (Alternatively the PSD 50 and the SCI 53 may be placed within asecure housing, in which case the channel 56 is secure.) A smart card,PC card, or the like 54 may then be plugged into the SCI 53, therebyplacing the smart card 54 into communication with the PSD 50. Asdiscussed below, it is then possible to transfer stored value from thePSD 50 to the card 54.

FIG. 2 is a functional block diagram of a prior art system in which astored-value card is used to transfer funds to a merchant. This isindeed one of the defining capabilities of a stored-value smart card ofthe type discussed herein. A user desiring to purchase goods or servicesfrom a merchant facility 61 may pay cash, or may pay by credit card, ormay use the stored-value smart card 54 in connection with smart cardinterface 53 to transfer stored value to the merchant facility 61 in amanner that is well known to those skilled in the art.

FIG. 3 is a functional block diagram of a prior art system in which astored-value card receives value from a bank. This, too, is one of thedefining capabilities of a stored-value smart card of the type discussedherein. A user desiring to add to the stored value of the card will, inprior art systems, go to a bank or other financial institution 64 toarrange for the placement of stored value in the card 54.

FIG. 4 is a functional block diagram of a system in accordance with theinvention in which a postage meter is employed, functioning in a fashionthat is analogous to the system of FIG. 1. The postage meter 50Acontains stored postage value. When used for the printing of postageindicia, the PSD 50 prints indicia directly on the mail piece 91.Eventually the stored value in the postage meter 50A is exhausted and nomore postage indicia may be printed, due to the programming of thepostage meter 50A. At that time, if not before, it is necessary to“refill” the postage meter 50A by means of a telemeter setting (TMS)session. In a TMS session, a nonsecure data link 57 is establishedbetween the postage meter 50A and a TMS host 58, operated by themanufacturer of the postage meter 50A or by an appropriate third party.The data link 57 may be a modem-to-modem telephone connection, or anISDN connection, or a TCP/IP connection, for example. Prior to the TMSsession, the user of the postage meter 50A will have arranged to havefunds on deposit with the manufacturer or with the postal authority 59.In the TMS session, encrypted data are exchanged so that postage valueis transferred from the TMS host 58 to the postage meter 50A. Inpractical terms, the funds on deposit with the manufacturer or postalauthority are decreased, and the stored value in the meter is increased.

In this embodiment, stored value in the postage meter 50A may betransferred to a stored-value smart card 54 via smart-card interface 53,in the same way as was described above in connection with FIG. 1.

The term “metering device” will be employed to encompass the severaldevices for storing postage value, including postage meters (frankingmachines) and postal security devices.

FIG. 5 is a flow diagram showing the passage of money and/or storedvalue among devices. The user of a postage device such as PSD 50 (orpostage meter) places money on deposit with bank B 71 or other entitydesignated by the postal authority. This deposit is communicated to theTMS host 58 and thus enables the TMS host 58 to engage in a TMS sessionwith the PSD 50 to transfer stored value into the PSD 50. In accordancewith the invention, in transfer 76 some or all of the stored value ofthe PSD 50 is transferred to stored-value smart card 54. Then, the userof the smart card 54 obtains goods or services from merchant facility 61(arrow 72) and in exchange, stored value is transferred to the merchantfacility (arrow 77). A further exchange (arrow 73) permits the merchantfacility 61 to obtain bank funds on deposit in bank A 70.

FIG. 6 is a functional block diagram of a typical postage securitydevice 50 of a type used in connection with the invention. The PSD 50has a secure housing 140, within which is a data bus 87 supporting aprocessor 80, an I/O device 86, and memories ROM 81, RAM 82, andnonvolatile RAM 83. Among the important functionalities of the PSD 50are a key management functionality 85 and an encryption/decryptionfunctionality 84. One design approach is to employ dedicated hardwarefor these two functionalities, as suggested by separate blocks 84, 85.In the usual case, however, these two functionalities are in factcarried out by the processor 80 under appropriate stored-program controlresponsive to ROM 81, manipulating data stored in RAM 82 and innonvolatile RAM 83. The nonvolatile RAM 83 also contains the informationabout the accounting registers indicative of the stored postage value ofthe PSD.

It may be desirable to store the accounting data redundantly, as setforth in PCT pub. no. WO 89-11134, which is incorporated herein byreference. In addition, it may be desirable that the redundant memoriesbe of differing technologies, as set forth in the aforementioned PCTpublication. Finally, it is extremely desirable to protect the memoryfrom harm due to processor malfunction, as set forth in U.S. Pat. No.5,276,844, in EP pub. no. 527010, or in EP pub. no. 737944, each ofwhich is incorporated herein by reference.

FIG. 7 is a functional block diagram of a typical postage meter 50A of atype used in connection with the invention. Its function is closelyanalogous to that of the PSD 50 of FIG. 6. A chief difference is thatthe printer 51A is within the secure housing 140.

FIG. 8 is a flowchart showing a typical sequence of events in thetransfer of stored value from a postage metering device to astored-value card. The stored-value smart card 54 (refer to FIG. 1) isinserted into the smart-card interface 53 (FIG. 1), at block 110 (FIG.8). By prearrangement the particular card and PSD are set up to becapable of performing the transfer according to the invention, so a testis made at block 111 to see if the card and PSD or metering device (MD)recognize each other. If the test fails, then at 112 a test is made tosee whether a permitted number of attempts has been exceeded. If thepermitted number has been exceeded then an exception handler is invoked(block 117) which may result in blocking further function of the MD orfurther function of the smart card.

Assuming the MD and card do recognize each other, then the user isafforded an opportunity at block 113 to enter a personal identificationnumber (PIN) and a test is made to see if the PIN number is correct. Ifthe test fails, then at 115 a test is made to see whether a permittednumber of attempts has been exceeded. If the permitted number has beenexceeded then an exception handler is invoked (block 116) which mayresult in blocking further function of the MD or further function of thesmart card.

Assuming the PIN number is correct, then the user is given anopportunity at block 118 to specify the amount of stored value totransfer between the metering device and the stored-value card. A testis made at block 119 to determine whether there are sufficient funds inthe metering device. If there are sufficient funds, then the registersin the stored-value card and in the metering device are adjusted toreflect the transfer (block 120). “Personality” information in eachdevice is optionally updated to reflect that each device hasparticipated in the transfer (block 121).

It will be appreciated that what has been set forth is a system whichuses the inherent security of postage metering funds stored within atamper-resistant postage metering memory system, to provide the abilityfor a customer to retrieve desired funds from the metering system. Thefunds are added to the stored value in a customer's SMART card such thatthe SMART card commences to have prepayment value added and the meteringsystem has said value subtracted from its registers.

Funds can be downloaded from the metering registers to a SMART card in asecure manner, thus minimizing the opportunity for fraud. The meteringdevice and the SMART card device have complementary cryptographicalgorithms such that only a specifically defined metering device ordevices and a specifically defined SMART card device or devices willpossess the unique data required to identify the card to the meteringsystem and the metering system to the card. At the time of fundstransfer from the metering device to the SMART card device, the meteringdevice and the SMART card device update their complementary encryptedalgorithms to relate to the new conditions of the funds justtransferred, amount transferred over time (totalizer), date of transferand the like. Once updated, the resultant encrypted data transferredbetween the SMART card device and the metering device are unique andone-of-a-kind, dedicated only to those two communicating devices.

The underlying uniqueness is developed by utilizing the personality ofthe SMART card related to its internal identification number, themetering device serial number (or other metering system identificationnumber), the amount of funds transferred over time (totalizer amount),date of exchange, other internal SMART card identifying parameters, orcustomer PIN. The PIN is the only customer activity that can potentiallybe compromised in that if care is not taken, a third party can observethe PIN number that is being entered. Such information is of onlylimited value to a would-be wrongdoer, however, because it would benecessary not only to possess the PIN number but also the particularcard, and it would be necessary to gain access to the metering device.

The chief benefit to the user is that prepaid postage funds areavailable for use as needed, rather than being dedicated only topostage. In effect the prepaid escrow account residing in the meteringdevice is available to the account's owner.

What is claimed is:
 1. A method of transferring funds to a stored-valuecard, said method mediated by a metering device adapted to enable theprinting of postage indicia on mail pieces, said method comprising thesteps of: placing a first amount of funds on deposit with the operatorof a telemeter setting host; performing a telemeter setting sessionbetween the host and a metering device, whereby stored value is storedin a postal security device in said metering device in relation to saidfirst amount of funds; causing said card to be communicatively coupledwith said postal security device in said metering device; confirmingexistence of a predetermined relation between said card and saidmetering device; reducing the stored value in the postal security devicein said metering device by a second amount of funds; and increasing thestored value in the card by the second amount of funds.
 2. The method ofclaim 1 wherein the first and second amounts are the same.
 3. The methodof claim 1 wherein the first amount is greater than the second amount.4. The method of claim 1 wherein the metering device is a postage meter.5. The method of claim 1, wherein value is transferred from said postalsecurity device directly to said stored-value card.
 6. A system fortransferring a first stored-value amount from a host to a meteringdevice and subsequently transferring a second stored-value amount fromthe metering device to a card carrying encrypted information indicativeof stored value, said system comprising; telemeter setting meansassociated with the host and the metering device for transferring thefirst stored-value amount from the host to a postal security device inthe metering device in response to a request therefor; an interfaceadapted to receive the stored-value card, said interface communicativelycoupled with the postal security device in the metering device; meansresponsive to a user request for confirming that the metering device andcard are in a predetermined relationship; means for determining whethersaid postal security device in said metering device has stored within itat least the second stored-value amount; and means for reducing thestored value within the postal security device in the metering device bythe second stored-value amount and for increasing the stored value inthe card by the second stored-value amount.
 7. The system of claim 6wherein the metering device is a postage meter.
 8. The system of claim6, wherein value is transferred from said postal security devicedirectly to said stored value-card.
 9. Apparatus for handling a requestfor a transfer of a requested amount of stored value from a postalsecurity device in a metering device to a card carrying encryptedinformation indicative of stored value, said apparatus comprising: aninterface adapted to receive the stored-value card, said interfacecommunicatively coupled with the postal security device in the meteringdevice; means responsive to a user request for confirming that themetering device and card are in a predetermined relationship; means fordetermining whether said postal security device in said metering devicehas stored within it at least the requested amount; and means forreducing the stored value in the postal security device in the meteringdevice by the requested amount, and for increasing the stored value inthe card by the requested amount.
 10. The apparatus of claim 9, whereinthe metering device is a postage meter.
 11. The apparatus of claim 9,wherein value is transferred from said postal security device directlyto said stored-value card.